rpms/selinux-policy/F-7 policy-20070501.patch, 1.80, 1.81 selinux-policy.spec, 1.510, 1.511
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Dec 12 15:44:34 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14342
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Wed Dec 12 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-62
- Fix labeling on * /usr/lib64/cups/backend/hp.*
- Upgrade to Fedora 8 cups policy
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- policy-20070501.patch 3 Dec 2007 18:55:51 -0000 1.80
+++ policy-20070501.patch 12 Dec 2007 15:44:27 -0000 1.81
@@ -5154,8 +5154,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-11-28 08:28:47.000000000 -0500
-@@ -8,6 +8,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-12-12 10:15:07.000000000 -0500
+@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5163,30 +5163,82 @@
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -16,8 +17,9 @@
+-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+-
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-+/usr/lib(64)?/cups/daemon -d gen_context(system_u:object_r:cupsd_exec_t,s0)
- /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-@@ -52,3 +54,5 @@
+ /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+@@ -26,6 +24,11 @@
+ /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
++# keep as separate lines to ensure proper sorting
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++
+ /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+@@ -33,7 +36,7 @@
+
+ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+ /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+ /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+@@ -51,4 +54,5 @@
+ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
- /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-11-26 13:00:58.000000000 -0500
-@@ -87,14 +87,13 @@
++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-12-12 10:42:46.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(cups,1.6.0)
++policy_module(cups,1.7.2)
+
+ ########################################
+ #
+@@ -48,9 +48,8 @@
+ type hplip_t;
+ type hplip_exec_t;
+ init_daemon_domain(hplip_t,hplip_exec_t)
+-
+-type hplip_etc_t;
+-files_config_file(hplip_etc_t)
++domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
++domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
+
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+@@ -79,22 +78,20 @@
+ #
+
+ # /usr/lib/cups/backend/serial needs sys_admin(?!)
+-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+-allow cupsd_t self:process { setsched signal_perms };
++allow cupsd_t self:process { setpgid setsched signal_perms };
+ allow cupsd_t self:fifo_file rw_file_perms;
+ allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
- allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
+-allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
@@ -5199,7 +5251,7 @@
allow cupsd_t cupsd_etc_t:{ dir file } setattr;
read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
-@@ -107,7 +106,7 @@
+@@ -107,7 +104,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -5208,7 +5260,31 @@
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -151,20 +150,23 @@
+@@ -124,18 +121,20 @@
+ manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
+ files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
+
+-read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
+-
++allow cupsd_t hplip_t:process sigkill;
+ allow cupsd_t hplip_var_run_t:file { read getattr };
+
+ stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
+ allow cupsd_t ptal_var_run_t : sock_file setattr;
+
++auth_use_nsswitch(cupsd_t)
++
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
+ kernel_read_all_sysctls(cupsd_t)
+
+-corenet_non_ipsec_sendrecv(cupsd_t)
++corenet_all_recvfrom_unlabeled(cupsd_t)
++corenet_all_recvfrom_netlabel(cupsd_t)
+ corenet_tcp_sendrecv_all_if(cupsd_t)
+ corenet_udp_sendrecv_all_if(cupsd_t)
+ corenet_raw_sendrecv_all_if(cupsd_t)
+@@ -151,32 +150,36 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5222,6 +5298,7 @@
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
++dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
@@ -5233,15 +5310,31 @@
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -177,6 +179,7 @@
+-mls_file_write_down(cupsd_t)
+-mls_file_read_up(cupsd_t)
+-mls_rangetrans_target(cupsd_t)
++mls_file_write_all_levels(cupsd_t)
++mls_file_read_all_levels(cupsd_t)
+ mls_socket_write_all_levels(cupsd_t)
+
+ term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
-+auth_domtrans_upd_passwd(cupsd_t)
++auth_domtrans_upd_passwd_chk(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -199,14 +202,17 @@
+@@ -190,7 +193,7 @@
+ # read python modules
+ files_read_usr_files(cupsd_t)
+ # for /var/lib/defoma
+-files_search_var_lib(cupsd_t)
++files_read_var_lib_files(cupsd_t)
+ files_list_world_readable(cupsd_t)
+ files_read_world_readable_files(cupsd_t)
+ files_read_world_readable_symlinks(cupsd_t)
+@@ -199,12 +202,9 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -5249,29 +5342,21 @@
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
-+
-+# smbspool is iterating through all existing tmp files.
-+# Looking for kerberos files
-+files_getattr_all_tmp_files(cupsd_t)
-+files_read_all_tmp_files(cupsd_t)
-+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
selinux_compute_access_vector(cupsd_t)
++selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
-+init_dontaudit_rw_utmp(cupsd_t)
- libs_use_ld_so(cupsd_t)
- libs_use_shared_libs(cupsd_t)
-@@ -214,6 +220,7 @@
+@@ -213,6 +213,7 @@
+ # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
libs_read_lib_files(cupsd_t)
- logging_send_syslog_msg(cupsd_t)
+logging_send_audit_msgs(cupsd_t)
+ logging_send_syslog_msg(cupsd_t)
miscfiles_read_localization(cupsd_t)
- # invoking ghostscript needs to read fonts
-@@ -223,6 +230,7 @@
+@@ -223,25 +224,27 @@
sysnet_read_config(cupsd_t)
@@ -5279,40 +5364,166 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
-@@ -233,6 +241,10 @@
+ # Write to /var/spool/cups.
+ lpd_manage_spool(cupsd_t)
++lpd_read_config(cupsd_t)
+
+ ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
')
+-ifdef(`targeted_policy',`
+- files_dontaudit_read_root_files(cupsd_t)
+-
+- term_dontaudit_use_unallocated_ttys(cupsd_t)
+- term_dontaudit_use_generic_ptys(cupsd_t)
+optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+')
-+
- ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(cupsd_t)
-@@ -284,6 +296,10 @@
++optional_policy(`
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_rw_pipes(cupsd_t)
++ unconfined_rw_stream_sockets(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+@@ -284,16 +287,16 @@
')
optional_policy(`
-+ nis_use_ypbind(cupsd_t)
+- nscd_socket_use(cupsd_t)
+-')
+-
+-optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
+ ')
+
+ optional_policy(`
++ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
- nscd_socket_use(cupsd_t)
+ seutil_sigchld_newrole(cupsd_t)
')
-@@ -294,6 +310,10 @@
+@@ -341,7 +344,8 @@
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_kernel_sysctls(cupsd_config_t)
+
+-corenet_non_ipsec_sendrecv(cupsd_config_t)
++corenet_all_recvfrom_unlabeled(cupsd_config_t)
++corenet_all_recvfrom_netlabel(cupsd_config_t)
+ corenet_tcp_sendrecv_all_if(cupsd_config_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
+ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -351,6 +355,7 @@
+ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
++dev_rw_generic_usb_dev(cupsd_config_t)
+
+ fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+@@ -396,12 +401,11 @@
+ ')
')
- optional_policy(`
-+ sendmail_domtrans(cupsd_t)
+-ifdef(`targeted_policy',`
+- files_dontaudit_read_root_files(cupsd_config_t)
+-
+- term_dontaudit_use_unallocated_ttys(cupsd_config_t)
++optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
-+
+
+optional_policy(`
- seutil_sigchld_newrole(cupsd_t)
+ unconfined_rw_pipes(cupsd_config_t)
')
-@@ -587,7 +607,7 @@
+@@ -422,6 +426,7 @@
+ optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
++ hal_dontaudit_use_fds(hplip_t)
+ ')
+
+ optional_policy(`
+@@ -492,7 +497,8 @@
+ kernel_read_system_state(cupsd_lpd_t)
+ kernel_read_network_state(cupsd_lpd_t)
+
+-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
++corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
++corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+ corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
+ corenet_udp_sendrecv_all_if(cupsd_lpd_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
+@@ -510,6 +516,8 @@
+
+ files_read_etc_files(cupsd_lpd_t)
+
++auth_use_nsswitch(cupsd_lpd_t)
++
+ libs_use_ld_so(cupsd_lpd_t)
+ libs_use_shared_libs(cupsd_lpd_t)
+
+@@ -517,22 +525,12 @@
+
+ miscfiles_read_localization(cupsd_lpd_t)
+
+-sysnet_read_config(cupsd_lpd_t)
+-
+ cups_stream_connect(cupsd_lpd_t)
+
+ optional_policy(`
+ inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(cupsd_lpd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(cupsd_lpd_t)
+-')
+-
+ ########################################
+ #
+ # HPLIP local policy
+@@ -550,14 +548,12 @@
+ allow hplip_t self:udp_socket create_socket_perms;
+ allow hplip_t self:rawip_socket create_socket_perms;
+
+-allow hplip_t cupsd_etc_t:dir search;
++allow hplip_t cupsd_etc_t:dir search_dir_perms;
+
+ cups_stream_connect(hplip_t)
+-
+-allow hplip_t hplip_etc_t:dir list_dir_perms;
+-read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
+-read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
+-files_search_etc(hplip_t)
++# For CUPS to run as a backend
++allow cupsd_t hplip_t:process signal;
++allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+ manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
+ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
+@@ -565,7 +561,8 @@
+ kernel_read_system_state(hplip_t)
+ kernel_read_kernel_sysctls(hplip_t)
+
+-corenet_non_ipsec_sendrecv(hplip_t)
++corenet_all_recvfrom_unlabeled(hplip_t)
++corenet_all_recvfrom_netlabel(hplip_t)
+ corenet_tcp_sendrecv_all_if(hplip_t)
+ corenet_udp_sendrecv_all_if(hplip_t)
+ corenet_raw_sendrecv_all_if(hplip_t)
+@@ -587,7 +584,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5321,6 +5532,831 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
+@@ -614,13 +611,7 @@
+ userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
+ userdom_dontaudit_search_all_users_home_content(hplip_t)
+
+-lpd_read_config(cupsd_t)
+-
+-ifdef(`targeted_policy', `
+- term_dontaudit_use_unallocated_ttys(hplip_t)
+- term_dontaudit_use_generic_ptys(hplip_t)
+- files_dontaudit_read_root_files(hplip_t)
+-')
++lpd_manage_spool(hplip_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(hplip_t)
+@@ -662,7 +653,8 @@
+ kernel_list_proc(ptal_t)
+ kernel_read_proc_symlinks(ptal_t)
+
+-corenet_non_ipsec_sendrecv(ptal_t)
++corenet_all_recvfrom_unlabeled(ptal_t)
++corenet_all_recvfrom_netlabel(ptal_t)
+ corenet_tcp_sendrecv_all_if(ptal_t)
+ corenet_tcp_sendrecv_all_nodes(ptal_t)
+ corenet_tcp_sendrecv_all_ports(ptal_t)
+@@ -693,12 +685,6 @@
+ userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+ userdom_dontaudit_search_all_users_home_content(ptal_t)
+
+-ifdef(`targeted_policy', `
+- term_dontaudit_use_unallocated_ttys(ptal_t)
+- term_dontaudit_use_generic_ptys(ptal_t)
+- files_dontaudit_read_root_files(ptal_t)
+-')
+-
+ optional_policy(`
+ seutil_sigchld_newrole(ptal_t)
+ ')
+@@ -706,3 +692,54 @@
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
++
++# This whole section needs to be moved to a smbspool policy
++# smbspool seems to be iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++userdom_read_unpriv_users_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
++
++optional_policy(`
++ unconfined_read_tmp_files(cupsd_t)
++')
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys(cupsd_t)
++ term_dontaudit_use_generic_ptys(cupsd_t)
++
++ init_stream_connect_script(cupsd_t)
++
++ unconfined_rw_pipes(cupsd_t)
++
++ optional_policy(`
++ init_dbus_chat_script(cupsd_t)
++
++ unconfined_dbus_send(cupsd_t)
++
++ dbus_stub(cupsd_t)
++ ')
++')
++
++ifdef(`targeted_policy',`
++ files_dontaudit_read_root_files(cupsd_config_t)
++
++ term_dontaudit_use_unallocated_ttys(cupsd_config_t)
++ term_use_generic_ptys(cupsd_config_t)
++
++ unconfined_rw_pipes(cupsd_config_t)
++')
++
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(hplip_t)
++ term_dontaudit_use_generic_ptys(hplip_t)
++ files_dontaudit_read_root_files(hplip_t)
++')
++
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(ptal_t)
++ term_dontaudit_use_generic_ptys(ptal_t)
++ files_dontaudit_read_root_files(ptal_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te.old serefpolicy-2.6.4/policy/modules/services/cups.te.old
+--- nsaserefpolicy/policy/modules/services/cups.te.old 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/cups.te.old 2007-12-12 10:15:46.000000000 -0500
+@@ -0,0 +1,728 @@
++
++policy_module(cups,1.6.0)
++
++########################################
++#
++# Declarations
++#
++
++type cupsd_config_t;
++type cupsd_config_exec_t;
++init_daemon_domain(cupsd_config_t,cupsd_config_exec_t)
++
++type cupsd_config_var_run_t;
++files_pid_file(cupsd_config_var_run_t)
++
++type cupsd_t;
++type cupsd_exec_t;
++init_daemon_domain(cupsd_t,cupsd_exec_t)
++
++type cupsd_etc_t;
++files_config_file(cupsd_etc_t)
++
++type cupsd_rw_etc_t;
++files_config_file(cupsd_rw_etc_t)
++
++type cupsd_log_t;
++logging_log_file(cupsd_log_t)
++
++type cupsd_lpd_t;
++type cupsd_lpd_exec_t;
++domain_type(cupsd_lpd_t)
++domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
++role system_r types cupsd_lpd_t;
++
++type cupsd_lpd_tmp_t;
++files_tmp_file(cupsd_lpd_tmp_t)
++
++type cupsd_lpd_var_run_t;
++files_pid_file(cupsd_lpd_var_run_t)
++
++type cupsd_tmp_t;
++files_tmp_file(cupsd_tmp_t)
++
++type cupsd_var_run_t;
++files_pid_file(cupsd_var_run_t)
++mls_trusted_object(cupsd_var_run_t)
++
++type hplip_t;
++type hplip_exec_t;
++init_daemon_domain(hplip_t,hplip_exec_t)
++
++type hplip_etc_t;
++files_config_file(hplip_etc_t)
++
++type hplip_var_run_t;
++files_pid_file(hplip_var_run_t)
++
++type ptal_t;
++type ptal_exec_t;
++init_daemon_domain(ptal_t,ptal_exec_t)
++
++type ptal_etc_t;
++files_config_file(ptal_etc_t)
++
++type ptal_var_run_t;
++files_pid_file(ptal_var_run_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
++')
++
++########################################
++#
++# Cups local policy
++#
++
++# /usr/lib/cups/backend/serial needs sys_admin(?!)
++allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++dontaudit cupsd_t self:capability { sys_tty_config net_admin };
++allow cupsd_t self:process { setsched signal_perms };
++allow cupsd_t self:fifo_file rw_file_perms;
++allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow cupsd_t self:unix_dgram_socket create_socket_perms;
++allow cupsd_t self:netlink_selinux_socket create_socket_perms;
++allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
++allow cupsd_t self:shm create_shm_perms;
++allow cupsd_t self:tcp_socket create_stream_socket_perms;
++allow cupsd_t self:udp_socket create_socket_perms;
++allow cupsd_t self:appletalk_socket create_socket_perms;
++# generic socket here until appletalk socket is available in kernels
++allow cupsd_t self:socket create_socket_perms;
++
++allow cupsd_t cupsd_etc_t:{ dir file } setattr;
++read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
++read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
++files_search_etc(cupsd_t)
++
++manage_dirs_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
++manage_files_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
++filetrans_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t,file)
++files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
++
++# allow cups to execute its backend scripts
++can_exec(cupsd_t, cupsd_exec_t)
++allow cupsd_t cupsd_exec_t:dir search_dir_perms;
++allow cupsd_t cupsd_exec_t:lnk_file read;
++
++manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
++allow cupsd_t cupsd_log_t:dir setattr;
++logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
++
++manage_dirs_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
++manage_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
++manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
++files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
++
++allow cupsd_t cupsd_var_run_t:dir setattr;
++manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
++manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
++files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
++
++read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
++
++allow cupsd_t hplip_var_run_t:file { read getattr };
++
++stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
++allow cupsd_t ptal_var_run_t : sock_file setattr;
++
++kernel_read_system_state(cupsd_t)
++kernel_read_network_state(cupsd_t)
++kernel_read_all_sysctls(cupsd_t)
++
++corenet_non_ipsec_sendrecv(cupsd_t)
++corenet_tcp_sendrecv_all_if(cupsd_t)
++corenet_udp_sendrecv_all_if(cupsd_t)
++corenet_raw_sendrecv_all_if(cupsd_t)
++corenet_tcp_sendrecv_all_nodes(cupsd_t)
++corenet_udp_sendrecv_all_nodes(cupsd_t)
++corenet_raw_sendrecv_all_nodes(cupsd_t)
++corenet_tcp_sendrecv_all_ports(cupsd_t)
++corenet_udp_sendrecv_all_ports(cupsd_t)
++corenet_tcp_bind_all_nodes(cupsd_t)
++corenet_udp_bind_all_nodes(cupsd_t)
++corenet_tcp_bind_ipp_port(cupsd_t)
++corenet_udp_bind_ipp_port(cupsd_t)
++corenet_tcp_bind_reserved_port(cupsd_t)
++corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
++corenet_tcp_connect_all_ports(cupsd_t)
++corenet_tcp_connect_smbd_port(cupsd_t)
++corenet_sendrecv_hplip_client_packets(cupsd_t)
++corenet_sendrecv_ipp_client_packets(cupsd_t)
++corenet_sendrecv_ipp_server_packets(cupsd_t)
++corenet_tcp_bind_all_rpc_ports(cupsd_t)
++
++dev_rw_printer(cupsd_t)
++dev_read_urand(cupsd_t)
++dev_read_sysfs(cupsd_t)
++dev_rw_usbfs(cupsd_t)
++dev_getattr_printer_dev(cupsd_t)
++
++domain_read_all_domains_state(cupsd_t)
++
++fs_getattr_all_fs(cupsd_t)
++fs_search_auto_mountpoints(cupsd_t)
++fs_read_anon_inodefs_files(cupsd_t)
++
++mls_fd_use_all_levels(cupsd_t)
++mls_file_downgrade(cupsd_t)
++mls_file_write_down(cupsd_t)
++mls_file_read_up(cupsd_t)
++mls_rangetrans_target(cupsd_t)
++mls_socket_write_all_levels(cupsd_t)
++
++term_use_unallocated_ttys(cupsd_t)
++term_search_ptys(cupsd_t)
++
++auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd(cupsd_t)
++auth_dontaudit_read_pam_pid(cupsd_t)
++
++# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
++corecmd_exec_shell(cupsd_t)
++corecmd_exec_bin(cupsd_t)
++
++domain_use_interactive_fds(cupsd_t)
++
++files_read_etc_files(cupsd_t)
++files_read_etc_runtime_files(cupsd_t)
++# read python modules
++files_read_usr_files(cupsd_t)
++# for /var/lib/defoma
++files_search_var_lib(cupsd_t)
++files_list_world_readable(cupsd_t)
++files_read_world_readable_files(cupsd_t)
++files_read_world_readable_symlinks(cupsd_t)
++# Satisfy readahead
++files_read_var_files(cupsd_t)
++files_read_var_symlinks(cupsd_t)
++# for /etc/printcap
++files_dontaudit_write_etc_files(cupsd_t)
++
++# smbspool is iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++files_read_all_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
++
++selinux_compute_access_vector(cupsd_t)
++
++init_exec_script_files(cupsd_t)
++init_dontaudit_rw_utmp(cupsd_t)
++
++libs_use_ld_so(cupsd_t)
++libs_use_shared_libs(cupsd_t)
++# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
++libs_read_lib_files(cupsd_t)
++
++logging_send_syslog_msg(cupsd_t)
++logging_send_audit_msgs(cupsd_t)
++
++miscfiles_read_localization(cupsd_t)
++# invoking ghostscript needs to read fonts
++miscfiles_read_fonts(cupsd_t)
++
++seutil_read_config(cupsd_t)
++
++sysnet_read_config(cupsd_t)
++
++files_dontaudit_list_home(cupsd_t)
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_all_users_home_content(cupsd_t)
++
++# Write to /var/spool/cups.
++lpd_manage_spool(cupsd_t)
++
++ifdef(`enable_mls',`
++ lpd_relabel_spool(cupsd_t)
++')
++
++optional_policy(`
++ avahi_dbus_chat(cupsd_t)
++')
++
++ifdef(`targeted_policy',`
++ files_dontaudit_read_root_files(cupsd_t)
++
++ term_dontaudit_use_unallocated_ttys(cupsd_t)
++ term_dontaudit_use_generic_ptys(cupsd_t)
++
++ init_stream_connect_script(cupsd_t)
++
++ unconfined_rw_pipes(cupsd_t)
++
++ optional_policy(`
++ init_dbus_chat_script(cupsd_t)
++
++ unconfined_dbus_send(cupsd_t)
++
++ dbus_stub(cupsd_t)
++ ')
++')
++
++optional_policy(`
++ apm_domtrans_client(cupsd_t)
++')
++
++optional_policy(`
++ cron_system_entry(cupsd_t, cupsd_exec_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client_template(cupsd,cupsd_t)
++ dbus_send_system_bus(cupsd_t)
++
++ userdom_dbus_send_all_users(cupsd_t)
++
++ optional_policy(`
++ hal_dbus_chat(cupsd_t)
++ ')
++')
++
++optional_policy(`
++ hostname_exec(cupsd_t)
++')
++
++optional_policy(`
++ inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
++')
++
++optional_policy(`
++ logrotate_domtrans(cupsd_t)
++')
++
++optional_policy(`
++ nis_use_ypbind(cupsd_t)
++')
++
++optional_policy(`
++ nscd_socket_use(cupsd_t)
++')
++
++optional_policy(`
++ # cups execs smbtool which reads samba_etc_t files
++ samba_read_config(cupsd_t)
++ samba_rw_var_files(cupsd_t)
++')
++
++optional_policy(`
++ sendmail_domtrans(cupsd_t)
++')
++
++optional_policy(`
++ seutil_sigchld_newrole(cupsd_t)
++')
++
++optional_policy(`
++ udev_read_db(cupsd_t)
++')
++
++########################################
++#
++# Cups configuration daemon local policy
++#
++
++allow cupsd_config_t self:capability { chown sys_tty_config };
++dontaudit cupsd_config_t self:capability sys_tty_config;
++allow cupsd_config_t self:process signal_perms;
++allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
++allow cupsd_config_t self:unix_stream_socket create_socket_perms;
++allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
++allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
++allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow cupsd_config_t cupsd_t:process signal;
++ps_process_pattern(cupsd_config_t,cupsd_t)
++
++manage_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
++manage_lnk_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
++filetrans_pattern(cupsd_config_t,cupsd_etc_t,cupsd_rw_etc_t,file)
++
++manage_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++manage_lnk_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
++
++can_exec(cupsd_config_t, cupsd_config_exec_t)
++
++allow cupsd_config_t cupsd_log_t:file rw_file_perms;
++
++allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
++files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
++
++allow cupsd_config_t cupsd_var_run_t:file { getattr read };
++
++manage_files_pattern(cupsd_config_t,cupsd_config_var_run_t,cupsd_config_var_run_t)
++files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
++
++kernel_read_system_state(cupsd_config_t)
++kernel_read_kernel_sysctls(cupsd_config_t)
++
++corenet_non_ipsec_sendrecv(cupsd_config_t)
++corenet_tcp_sendrecv_all_if(cupsd_config_t)
++corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
++corenet_tcp_sendrecv_all_ports(cupsd_config_t)
++corenet_tcp_connect_all_ports(cupsd_config_t)
++corenet_sendrecv_all_client_packets(cupsd_config_t)
++
++dev_read_sysfs(cupsd_config_t)
++dev_read_urand(cupsd_config_t)
++dev_read_rand(cupsd_config_t)
++
++fs_getattr_all_fs(cupsd_config_t)
++fs_search_auto_mountpoints(cupsd_config_t)
++
++corecmd_exec_bin(cupsd_config_t)
++corecmd_exec_shell(cupsd_config_t)
++
++domain_use_interactive_fds(cupsd_config_t)
++# killall causes the following
++domain_dontaudit_search_all_domains_state(cupsd_config_t)
++
++files_read_usr_files(cupsd_config_t)
++files_read_etc_files(cupsd_config_t)
++files_read_etc_runtime_files(cupsd_config_t)
++files_read_var_symlinks(cupsd_config_t)
++
++# Alternatives asks for this
++init_getattr_script_files(cupsd_config_t)
++
++libs_use_ld_so(cupsd_config_t)
++libs_use_shared_libs(cupsd_config_t)
++
++logging_send_syslog_msg(cupsd_config_t)
++
++miscfiles_read_localization(cupsd_config_t)
++
++seutil_dontaudit_search_config(cupsd_config_t)
++
++sysnet_read_config(cupsd_config_t)
++
++userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
++userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
++
++lpd_read_config(cupsd_config_t)
++
++cups_stream_connect(cupsd_config_t)
++
++ifdef(`distro_redhat',`
++ init_getattr_script_files(cupsd_config_t)
++
++ optional_policy(`
++ rpm_read_db(cupsd_config_t)
++ ')
++')
++
++ifdef(`targeted_policy',`
++ files_dontaudit_read_root_files(cupsd_config_t)
++
++ term_dontaudit_use_unallocated_ttys(cupsd_config_t)
++ term_use_generic_ptys(cupsd_config_t)
++
++ unconfined_rw_pipes(cupsd_config_t)
++')
++
++optional_policy(`
++ cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
++ dbus_connect_system_bus(cupsd_config_t)
++ dbus_send_system_bus(cupsd_config_t)
++
++ optional_policy(`
++ hal_dbus_chat(cupsd_config_t)
++ ')
++')
++
++optional_policy(`
++ hal_domtrans(cupsd_config_t)
++ hal_read_tmp_files(cupsd_config_t)
++')
++
++optional_policy(`
++ hostname_exec(cupsd_config_t)
++')
++
++optional_policy(`
++ logrotate_use_fds(cupsd_config_t)
++')
++
++optional_policy(`
++ nis_use_ypbind(cupsd_config_t)
++')
++
++optional_policy(`
++ nscd_socket_use(cupsd_config_t)
++')
++
++optional_policy(`
++ rpm_read_db(cupsd_config_t)
++')
++
++optional_policy(`
++ seutil_sigchld_newrole(cupsd_config_t)
++')
++
++optional_policy(`
++ udev_read_db(cupsd_config_t)
++')
++
++########################################
++#
++# Cups lpd support
++#
++
++allow cupsd_lpd_t self:process signal_perms;
++allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
++allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
++allow cupsd_lpd_t self:udp_socket create_socket_perms;
++allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
++
++# for identd
++# cjp: this should probably only be inetd_child rules?
++allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
++allow cupsd_lpd_t self:capability { setuid setgid };
++files_search_home(cupsd_lpd_t)
++optional_policy(`
++ kerberos_use(cupsd_lpd_t)
++')
++#end for identd
++
++allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
++read_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
++read_lnk_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
++
++allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
++read_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++read_lnk_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++
++manage_dirs_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
++manage_files_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
++files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
++
++manage_files_pattern(cupsd_lpd_t,cupsd_lpd_var_run_t,cupsd_lpd_var_run_t)
++files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
++
++kernel_read_kernel_sysctls(cupsd_lpd_t)
++kernel_read_system_state(cupsd_lpd_t)
++kernel_read_network_state(cupsd_lpd_t)
++
++corenet_non_ipsec_sendrecv(cupsd_lpd_t)
++corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
++corenet_udp_sendrecv_all_if(cupsd_lpd_t)
++corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
++corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
++corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
++corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
++corenet_tcp_bind_all_nodes(cupsd_lpd_t)
++corenet_udp_bind_all_nodes(cupsd_lpd_t)
++corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++
++dev_read_urand(cupsd_lpd_t)
++dev_read_rand(cupsd_lpd_t)
++
++fs_getattr_xattr_fs(cupsd_lpd_t)
++
++files_read_etc_files(cupsd_lpd_t)
++
++libs_use_ld_so(cupsd_lpd_t)
++libs_use_shared_libs(cupsd_lpd_t)
++
++logging_send_syslog_msg(cupsd_lpd_t)
++
++miscfiles_read_localization(cupsd_lpd_t)
++
++sysnet_read_config(cupsd_lpd_t)
++
++cups_stream_connect(cupsd_lpd_t)
++
++optional_policy(`
++ inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
++')
++
++optional_policy(`
++ nis_use_ypbind(cupsd_lpd_t)
++')
++
++optional_policy(`
++ nscd_socket_use(cupsd_lpd_t)
++')
++
++########################################
++#
++# HPLIP local policy
++#
++
++# Needed for USB Scanneer and xsane
++allow hplip_t self:capability { dac_override dac_read_search net_raw };
++dontaudit hplip_t self:capability sys_tty_config;
++allow hplip_t self:fifo_file rw_fifo_file_perms;
++allow hplip_t self:process signal_perms;
++allow hplip_t self:unix_dgram_socket create_socket_perms;
++allow hplip_t self:unix_stream_socket create_socket_perms;
++allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
++allow hplip_t self:tcp_socket create_stream_socket_perms;
++allow hplip_t self:udp_socket create_socket_perms;
++allow hplip_t self:rawip_socket create_socket_perms;
++
++allow hplip_t cupsd_etc_t:dir search;
++
++cups_stream_connect(hplip_t)
++
++allow hplip_t hplip_etc_t:dir list_dir_perms;
++read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
++read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
++files_search_etc(hplip_t)
++
++manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
++files_pid_filetrans(hplip_t,hplip_var_run_t,file)
++
++kernel_read_system_state(hplip_t)
++kernel_read_kernel_sysctls(hplip_t)
++
++corenet_non_ipsec_sendrecv(hplip_t)
++corenet_tcp_sendrecv_all_if(hplip_t)
++corenet_udp_sendrecv_all_if(hplip_t)
++corenet_raw_sendrecv_all_if(hplip_t)
++corenet_tcp_sendrecv_all_nodes(hplip_t)
++corenet_udp_sendrecv_all_nodes(hplip_t)
++corenet_raw_sendrecv_all_nodes(hplip_t)
++corenet_tcp_sendrecv_all_ports(hplip_t)
++corenet_udp_sendrecv_all_ports(hplip_t)
++corenet_tcp_bind_all_nodes(hplip_t)
++corenet_udp_bind_all_nodes(hplip_t)
++corenet_tcp_bind_hplip_port(hplip_t)
++corenet_tcp_connect_hplip_port(hplip_t)
++corenet_tcp_connect_ipp_port(hplip_t)
++corenet_sendrecv_hplip_client_packets(hplip_t)
++corenet_receive_hplip_server_packets(hplip_t)
++
++dev_read_sysfs(hplip_t)
++dev_rw_printer(hplip_t)
++dev_read_urand(hplip_t)
++dev_read_rand(hplip_t)
++dev_rw_generic_usb_dev(hplip_t)
++dev_rw_usbfs(hplip_t)
++
++fs_getattr_all_fs(hplip_t)
++fs_search_auto_mountpoints(hplip_t)
++
++# for python
++corecmd_exec_bin(hplip_t)
++
++domain_use_interactive_fds(hplip_t)
++
++files_read_etc_files(hplip_t)
++files_read_etc_runtime_files(hplip_t)
++files_read_usr_files(hplip_t)
++
++libs_use_ld_so(hplip_t)
++libs_use_shared_libs(hplip_t)
++
++logging_send_syslog_msg(hplip_t)
++
++miscfiles_read_localization(hplip_t)
++
++sysnet_read_config(hplip_t)
++
++userdom_dontaudit_use_unpriv_user_fds(hplip_t)
++userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
++userdom_dontaudit_search_all_users_home_content(hplip_t)
++
++lpd_read_config(cupsd_t)
++
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(hplip_t)
++ term_dontaudit_use_generic_ptys(hplip_t)
++ files_dontaudit_read_root_files(hplip_t)
++')
++
++optional_policy(`
++ seutil_sigchld_newrole(hplip_t)
++')
++
++optional_policy(`
++ snmp_read_snmp_var_lib_files(hplip_t)
++')
++
++optional_policy(`
++ udev_read_db(hplip_t)
++')
++
++########################################
++#
++# PTAL local policy
++#
++
++allow ptal_t self:capability { chown sys_rawio };
++dontaudit ptal_t self:capability sys_tty_config;
++allow ptal_t self:fifo_file rw_fifo_file_perms;
++allow ptal_t self:unix_dgram_socket create_socket_perms;
++allow ptal_t self:unix_stream_socket create_stream_socket_perms;
++allow ptal_t self:tcp_socket create_stream_socket_perms;
++
++allow ptal_t ptal_etc_t:dir list_dir_perms;
++read_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
++read_lnk_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
++files_search_etc(ptal_t)
++
++manage_dirs_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_lnk_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_fifo_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_sock_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
++
++kernel_read_kernel_sysctls(ptal_t)
++kernel_list_proc(ptal_t)
++kernel_read_proc_symlinks(ptal_t)
++
++corenet_non_ipsec_sendrecv(ptal_t)
++corenet_tcp_sendrecv_all_if(ptal_t)
++corenet_tcp_sendrecv_all_nodes(ptal_t)
++corenet_tcp_sendrecv_all_ports(ptal_t)
++corenet_tcp_bind_all_nodes(ptal_t)
++corenet_tcp_bind_ptal_port(ptal_t)
++
++dev_read_sysfs(ptal_t)
++dev_read_usbfs(ptal_t)
++dev_rw_printer(ptal_t)
++
++fs_getattr_all_fs(ptal_t)
++fs_search_auto_mountpoints(ptal_t)
++
++domain_use_interactive_fds(ptal_t)
++
++files_read_etc_files(ptal_t)
++files_read_etc_runtime_files(ptal_t)
++
++libs_use_ld_so(ptal_t)
++libs_use_shared_libs(ptal_t)
++
++logging_send_syslog_msg(ptal_t)
++
++miscfiles_read_localization(ptal_t)
++
++sysnet_read_config(ptal_t)
++
++userdom_dontaudit_use_unpriv_user_fds(ptal_t)
++userdom_dontaudit_search_all_users_home_content(ptal_t)
++
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(ptal_t)
++ term_dontaudit_use_generic_ptys(ptal_t)
++ files_dontaudit_read_root_files(ptal_t)
++')
++
++optional_policy(`
++ seutil_sigchld_newrole(ptal_t)
++')
++
++optional_policy(`
++ udev_read_db(ptal_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.6.4/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/cvs.te 2007-08-07 09:42:35.000000000 -0400
@@ -5654,7 +6690,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-11-13 16:42:56.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-12-06 20:33:54.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -5772,7 +6808,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -190,12 +202,58 @@
+@@ -190,12 +202,62 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -5810,6 +6846,8 @@
+#
+# dovecot deliver local policy
+#
++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
++
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir r_dir_perms;
+
@@ -5824,6 +6862,8 @@
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
++dovecot_auth_stream_connect(dovecot_deliver_t)
++
+miscfiles_read_localization(dovecot_deliver_t)
+
+optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.510
retrieving revision 1.511
diff -u -r1.510 -r1.511
--- selinux-policy.spec 3 Dec 2007 18:55:51 -0000 1.510
+++ selinux-policy.spec 12 Dec 2007 15:44:27 -0000 1.511
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 61%{?dist}
+Release: 62%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -363,6 +363,10 @@
%endif
%changelog
+* Wed Dec 12 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-62
+- Fix labeling on * /usr/lib64/cups/backend/hp.*
+- Upgrade to Fedora 8 cups policy
+
* Mon Dec 3 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-61
- Remove duplicate defintion of /opt/Adobe
More information about the fedora-extras-commits
mailing list